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We show that for Eve to get information in one basis about a state, she must cause errors 
in all bases that are mutually unbiased to that basis. Our result holds in any dimension. 
We also show that this result holds for all functions of messages that are encrypted with 
a key. 
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1 Introduction 

Ideal quantum key distribution (QKD) with qubits^ is known to be secure El EH CO El- 
and the security proofs are based on what are called information- vs. -disturbance results. 
The basic QKD protocol involves the following steps: Alice transmits one of four possible 
states randomly chosen from \0)x, |l)x> |0)z, and \l)z, i.e., the basis vectors in the X and 
Z bases. The basic information- vs. -disturbance result states that if the eavesdropper, Eve, 
obtains information about which basis vector was sent in for example, the X basis, then she 
must introduce disturbance in the Z basis. By disturbance, it is meant that if Bob made 
measurements to distinguish between the two states sent in the Z basis, then he will observe 
errors. Thus Alice and Bob can test a random subset of a transmitted block of qubits in the 
Z basis and estimate the information that Eve has about those in the X basis. If the error 
rate is small enough in the tested qubits (hence, Eve's information about the qubits in the X 
basis is small enough), then Alice and Bob can use classical error correcting and amplification 
schemes to distill an informationally secure key from the qubits sent in the X basis. 

In this paper, we consider a general setup involving D dimensional quantum states, instead 
of the 2-dimensional systems considered in the QKD literature. The basic setup is as follows: 
Alice sends states chosen randomly from among the basis vectors of a particular basis of the 
D dimensional Hilbert space. She intends these states to act as the information states, i.e., 
the log D bits per transmitted state will be used to distill a final key. The natural questions 
that arise are (i) which set of states should the "test" states come from, and (ii) what is the 
corresponding information- vs. -disturbance result for a D-dimensional space. 

We first extend some basic distinguishability bounds found for qubits[7] to D-level systems. 
That is, if a source S outputs one of n D-dimensional quantum states randomly, then we derive 
bounds on the mutual information between S and any measurement output E, only in terms 
of the properties of the quantum states generated by S. In other words, we bound the mutual 
information between the random variable representing which state was generated by S and 
the random variable representing the output from a generalized measurement of the states 
output by S. These results are powerful because they only depend on the source and not 
on any measurement done. We next apply these bounds on distinguishability to relate the 
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amount of information eavesdroppers can obtain to the disturbance they cause in the quantum 
state. In particular, we prove a generalized information- vs. -disturbance result: if Eve gets 
information about which basis vector (from the chosen basis in D dimensions) was sent by 
Alice, then she must introduce disturbance in any basis that is mutually unbiased to the basis 
chosen by Alice. 

In terms of previous work, our results generalize those in ^IHj- We would also like to 
note that QKD in dimension 3 was studied in |51ll(J). Security bounds for individual cloning 
attacks in dimension D have been reported^]. More recently, qubit QKD techniques |S] 
have been generalized to prime dimensions|12j. By contrast, our bounds apply to any attack 
in any dimension. Also, this work further illuminates the relationship of mutually unbiased 
bases (MUBs) .13 to quantum cryptography. Previously, it was shown that the eigenvectors 
of maximally commuting quantum encryption operators form MUBs[H], Here we show that 
when Eve tries to get information in one basis, she disturbs all MUBs. Our result may be 
viewed as form of an uncertainty principle: the more Eve knows about one basis, the more 
she disturbs all conjugate bases. 

In addition to applying the above bounds and techniques to the security of quantum keys, 
we also consider functions of messages encrypted with those keys. If Alice and Bob share a 
key k, it may be that Eve learns only exponentially little information about k, but she may 
be able to learn a lot about some function of a message f(M), given the encrypted version of 
that message to + k. In particular, consider the following setup: Alice sends a random basis 
vector \k) belonging to a chosen basis to Bob. Alice next publicly announces she sent basis 
vector \k © m), where is the bitwise exclusive or (XOR) operation. Bob could then recover 
the encrypted message to. Now, we know that information of Eve about k is bounded by 
the error she causes in any basis that is mutually unbiased to the chosen basis. How about a 
function f(M) of the message? For example, Eve might be interested in only learning whether 
to = or not. In a previous work[S], it was shown that given the encrypted message, to + k, 
the information that Eve gets about any function of an encrypted n-bit message /(to), is 
bounded by the square root of the error Eve's attack causes in the Hadamard transformed 
basis. More recently, alternative and more general solutions to this problem have been given 
USEE]- In this work we extend previous resultsjH] beyond qubits to (i-dimensional systems. 
Also, we show that Eve's information is bounded by the error she causes is any MUB. 

This paper is structured as follows: Section[2]gives various new bounds on distinguishabil- 
ity and classical information accessible from quantum states; Section [21 applies these results 
to obtain "information-vs-disturbance" results for QKD; finally in Section 0] we show these 
results also hold for functions of encrypted messages and not just for the keys themselves. 

2 Bound On Information For Any Source 

In 0, many bounds are given on the distinguishability of two quantum states. In this section 
we generalize some of those to the distinguishability of n quantum states. Our setting is the 
following: A source outputs one of n quantum states. The random variable representing the 
source is S i.e., it is the identifier of the particular quantum state made available at the output 
and can be generated by purely classical means, such as flipping coins or spinning wheels. A 
general measurement is made on the state, which results in one of several measurement out- 
comes represented by the random variable E. We consider bounds on the mutual information 
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I(S; E) valid for any measurement, which is to say, the bound will only be a function of the 
quantum states emitted by the source. 

The bounds here address the same problem as the well known Holevo boundpTj. which is: 

I(S;E)<H(p)-Y,PsH(ps) (1) 

s 

where H (p) is the Von-Neumann entropy of the density matrix p. The main difference between 
the results of this section and the Holevo bound is that these results deal explicitly with a 
distance metric, namely the trace norm distance, between two density matrices. Using a 
simple distance metric allows a certain ease in proving the results in Section 

In the appendix, we review certain previously published 0IH] bounds on distinguishability 
of quantum states. As we will see later in the paper, this allows us to derive the fundamental 
information vs. disturbance results that are at work in quantum security protocols. Addi- 
tionally, these results give an important insight into the robustness of the trace norm as a 
metric bound for information. 

We begin by developing a lower bound on entropy and then applying that bound to the 
mutual information. 

Lemma 1 For any random variable X' with each probability p/ < 1/2: 
H(X)>H(X')-J2^g(^)\Pi-Pi'\ 

Proof.if (X) = - Y^iPi logK; so if we define }(jpi) = -pi logft, we see that H(X) = £\ f(pi). 
See that / is concave and is zero at pi = 0, 1; thus lemma |A. II applies : 

f(pi) > f(pi')-^p-\Pi-Pi'\ 
Pi 

Plugging this into the definition of entropy: 

H(X) = Y^ffa) 

i 

> E(/(p*')-^fPbi-p/l) 

= F^O-^log^lft-p/l 

i Pi 

I 

Lemma 2 For any source S that outputs s with probability p s such that p s < 1/2, the mutual 
information is bounded: 

I(S;E) < £p s log(l)]T|p(e| S )-p(e)| 



*We do believe, however, that it is possible to obtain similar results by applying the purification techniques 
of Section |21 directly to the Holevo bound. 
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Proof.Make use of lemma 



7(5; E) = H(S)-H(S\E) 

= H(S)-J2PeH(S\E = e) 

e 

< 77(5) - (h(S) ]T log(i)b(s|e) - p.|J 

= Z^Z^^ lo s( — )l p( e )l 

e s Ps Ps 

= ^2^2Ps\°g( — )\p{e\s)- P {e)\. 

e s Vs 

I 

Lemma 3 If a source S outputs quantum states pi with probabilities pi with pi < 1/2, then 
mutual information between this source and the output of any measuring device E is bounded: 



I(S;E) < Y,Pslog(-)Tr\p s -J2 



PsPs 



Proof.Define the notation p — ^2 s p s p s - Starting from lemma [3 we use the definition of a 
POVM to replace p(e\s) with Tr(E e p s ): 

7(5; £0 < £$>log(-)b(e| S )-p( e )| 

e s Ps 
Ps 

e s 

= EE^ l0 S(^)l Tr ^e(p S -p))| 
Ps 

e s 

Using the same facts about POVMs as in lemma 1X31 one can show that 

J2\Tr(E e ( Ps - p))\ < Tr\p a -p\. 

e 

Hence, we have: 

7(5; E) < Y^p s \og{-)Tr\p s -p\. 

s P* 

I 

Corollary 1 If a source S outputs one of n quantum states pi with probability 1/n, then 
mutual information between this source and the output of any measuring device E is bounded: 
7(5;£)<logn£ s ^|p s -p|- 
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Proof.For all n > 2, then 1/n < 1/2, hence lemma [3] applies: 

I(S;E) < y2p s log(-)Tr\ Ps -p\ 

= lagny2~Tr\p s - p\ 

s 

I 

Now we have a basic lemma in hand which gives an upper bound on the information any 
measurement device can get from any source, purely in terms of the quantum states emitted 
from that source. In the next section, we will model the eavesdropping process as a source 
of quantum states for Eve. Eve is free to measure states in any way, but using the previous 
lemma, we have an upper bound on how much information she may obtain. 

3 Security of Quantum Key Distribution 

We now have the tools necessary in order to derive an information theoretic counterpart to the 
Heisenberg uncertainty principle. This result is the basis for quantum security results in 0|. 
Quantum key distribution (QKD) is directly related to the setup we considered in the previous 
section. In general, in a QKD setup Alice has the source S that outputs one of n quantum 
states; Alice transmits the output state over a quantum channel to Bob. This quantum 
channel, however, can belong to the eavesdropper Eve, who can perform any operation that 
quantum mechanics allows. Figure [3] gives a schematic of the most general attack that Eve 
might perform. From her perspective, she has access to a source, and she can make any 
measurement to get information about what was sent. Bob thus receives a state that Eve 
has already processed and makes his own measurements using a fixed protocol that is known 
to everyone. Alice and Bob complete a block transmission of several output states of the 
source S, and then use classical communication over an open channel to distill a secret key. 
Eve can listen in as well on the classical channel, but cannot perform a person-in-the-middle 
attack on the classical channel, which will make the whole protocol trivially unsecured. Such 
a classical channel can be easily implemented by message authentication, e.g., via previously 
shared secret bits between Alice and Bob. 

Security of the QKD schemes depend on the amount of mutual information between Alice's 
source, S, and Eve's measurement E (i.e., I(S] E) as considered in the previous section) when 
measured as a function of the disturbance that she causes to the state received by Bob. The 
intuition from quantum mechanics is that measurements will disturb the system; hence, Alice 
and Bob can use a random subset of the transmitted quantum states for testing purposes, and 
detect the error rate on this subset, and thereby infer how strongly has Eve attacked the whole 
block. The underlying result and assumption here is that if the error she causes is less than 
a threshold then so is the mutual information I(S;E). They proceed with key distillation 
only if the test errors are below a pre-specified threshold. Next, one can use classical privacy 
amplification schemes to show that as long as I(S; E) is small enough (as implied by the 
disturbance), then one can make the mutual information between E and a final distilled key 
as low as possible. These classical techniques involve the use of error correcting codes. 

Thus, the derivation of an appropriate "information vs. disturbance" result lies at the 
heart of all security proofs for QKD. While it is clear what we mean by "information," (as 
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Fig. |3 Most general attack by an eavesdropper. 



denned by the quantity I(S;E)), we have not yet quantified and defined what we mean by 
"disturbance." In various security proofs of QKD, researchers have adopted the following 
strategy: (i) In the protocol, the source S outputs states chosen from the basis vectors 
belonging to two different bases, e.g., the X and Z bases, (ii) The information vs. disturbance 
results then refer to the information about which basis vector from one of the bases (e.g., X) 
was sent, and the disturbance caused in the second basis (e.g., Z). That is, Eve cannot 
simultaneously get significant information about which basis vector was sent in one basis, 
without causing errors in Bob's inference about which basis vector was sent in the other 
basis. Thus for testing purposes, one could use the states in one of the bases and the observed 
error rate will put a bound on the information that Eve has about which basis vectors were 
sent in the other bases. 

Specifically, Lo and Chaujjl] use an EPR based scheme and show (using the Holevo bound, 
equation that if the fidelity between Alice and Bob is greater than 1 — S for R singlets, 
then Eve's information about the final key is bounded by: 

i < -(i-<j)iog(i-5)-<nog^- T 

The above information-vs-disturbance result is used directly by Shor and Preskill in their 
quantum code based proof 0. Rather that deal with the fidelity of singlets, Biham et. al.0] 
use trace-norm techniques to show that Eve's information on each bit is bounded by the 
square root of the probability that she would cause more than v/2 errors had Alice sent the 
bits in the opposite basis (X replaced with Z and vice- versa), where v is the minimum distance 
between the privacy amplification code and the error correction code. The security of QKD 
directly depends on the above results: Eve's information is always bounded once Alice and 
Bob verify that their states have not been greatly disturbed. 

In this section, we generalize such information vs. disturbance bounds for states in any 
dimension D, and also provide a natural choice of the bases to be used in these results. At 
this point it is useful to define the concept of Mutually Unbiased Bases: 
Definition. Let B\ = {|</Ji), . . . , | </?£>)} and B2 = ■ ■ ■ , |V , -o)}be two orthonormal bases 

in the D dimensional state space. They are said to be mutually unbiased bases (MUB) 
if and only if = -jg, for every i,j = l,...,d. A set {Bt, ■ ■ ■ ,B m } of orthonormal 

bases in C D is called a set of mutually unbiased bases (a set of MUB) if each pair of bases Bi 
and Bj are mutually unbiased. 
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Thus, given two MUB B 1 and B 2 , we get B x B\ = H, where \H itj \ = l/VD, and H is 
a unitary matrix. Hence, H can be regarded as a generalized Hadamard matrix in dimension 
D, and the two bases are related by the transformation Bi = HB 2 - We next derive a general 
theorem which shows that whatever the dimension, if Eve gets information in one basis, she 
disturbs all bases which are MUBs of that basis. Since two MUB are related by a generalized 
Hadamard transformation, the result in Theorem 1 implies that retrieving information in one 
basis causes disturbances in all the conjugate bases. 

Finally, it should be emphasized that we only consider a single Z?-dimensional state. This 
is not a limitation: any product of quantum states can be thought of as a state in a larger 
dimensional space. Thus, if we consider standard BB84, n 2-dimensional systems (bits) are 
sent. In our approach we would consider that as one 2™ dimensional system. The same 
applies for any product of quantum states. These results generalize those presented in jS], 
which proved the following theorem only for dimension 2™ and for one pair of bases (the 
standard Z and X bases). 

Theorem 1 If Alice sends a randomly selected element from a D- dimensional basis (rep- 
resented by the random variable A) to Bob, the information Eve's measurement (represented 
by E) has about Alice's state is bounded by the sguare root of the probability that Eve would 
have caused errors in any MUB with respect to Alice's basis: 

I(A;E) < 41ogL>y / i^. 

Proof. We will use lemmas IA.6I and IA.5I and corollary ^ Starting from corollary we see 
that: I(A;E) < log£>^ i T>\pi ~~ p\- O ur approach will be to bound this by introducing a 
purification^for pi (the state that Eve holds when Alice sends i). Using the purification and 
lemma lA~6l we can bound the original trace norm distance. 

To attack the state sent to Bob, Eve attaches a probe in a fixed state (say the |0) state) 
and applies a unitary operator. She then passes Bob his part, and does some generalized 
measurement on what she still holds. We can characterize this formally: 

\0) E \i) A Zj2\Ei,j)\j) 
j 

We represent the MUB as: 

3 

With H being a generalized Hadamard matrix on these D-dimensional basis: \Hji\ = 
Applying this to Eve's attack, we obtain: 

|o) b |7)a-£|^)|7> 

j 

where \E^) = E iV H^Hp^ d> ). 

From the axioms of quantum mechanics, we know that if Alice sends \i) the probability 
that Bob will measure \j) is P(j\i) = (E iy j\Eij). Similarly, if Alice sends \i) Bob will measure 
\j) with probability P(j\i) = (E h3 \E zJ ). 

tsec definition IA.1I 
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We are now prepared to compute the probability that there are no errors in the MUB: 

p = 5^ P (i)p(i|t) 

i 

i 

= ~f) X! H^HkiHmHy^Ei^Ei^kr) 

i k,l,k' ,1' 

= i E ( E i,k\ E i', k >)J2 H *i HkiHl 'i H «i ( 2 ) 



k,l,k',V i 

When Eve's states are considered without Bob, her state will look like pi = J^j \ E i,j)( E iJ I • 
Now we will define a purification for Eve's states that will allow us to compute a bound on 
Pq. We assume that Eve holds 

\<fH) = Y,\EiMjh (3) 
j 

where \ipj) is an orthonormal basis for each choice of i. Due to the orthonormality of \ipj), 
\<f>i) is a purification of pi because Tr2\<fii)(4>i\ — Pi- We also define the generalized Hadamard 
transform of these states: 

|^> = ^fl£|&>. (4) 

i 

The Hadamard transform is unitary, so see that \<f>i) = Hij\(f>j). It should be noted that 
our purification (</>,•) for Eve's states is not orthonormal or normalized. In fact, this is a 
property of which we will make use in order to get a bound. We now calculate the norm of 
the \<fio) and see that with the proper choice of \ipj) that it is proportional to the probability 
that there was no error, P a : 

1,1' 

= T,T, H ^ H *'o( E iM E i',k'M\4') (5) 

1,1' k.k' 

At this point we will parameterize \tp l k }'- 

i 

with any choice of a^i so long as (ip l k , \ip k ) = 5 k 'k- ln order to match equation[21with equation 
|31 we choose 

am = . (6) 

H m 

To see that our choice of aiki is valid, recall that |-ffjj| 2 = 1/-D and simply compute 

i^i'i^k) = ^Z a *ik^ a ikt 
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= I u 12 E \ H li\ 2H k'iH* ki 
\ H 10\~ ^ 

= ^ H k'iHti 

i 

— 5k'k 

which is what we need to show to make equation[3]a valid purification. With the above choice, 
equation [S] becomes 



M0o) = J2J2 H to H i'o(Ei,k\Ev, k ')(^ l M') 

1,1' k,k' 

= J2 (Ei, k \Ei',k')J2 H *i H ^ H ^ H k'i 



k,l,k',l' i 

= DP . 

Thus we have related the norm of \<fio) to the probability that there are no errors 'in the 
MUB. 

Define p/ = \(j>i){(j>i\ and p' = jj J2 t Pi- Now we compute (0o|//|0o): 



i 



D 

Since \H* k \ 2 D = 1, we can rewrite the above as 

(Mp'IM = dJ2^\h!MJ2 h 



D 

3 

Since f(x) = \x\ 2 is convex, then | J2iPi x i\ 2 — J2iP A "" J 



* 3 

= ^(^lEE^^ 

3 i 

= "ly^E^ 



< i\Yj)\ 



^\{M<t> k )\ 2 



-f If the Hadamard transform is isomorphic to a group such that H^Hj^. = H i+ j k -^= and H ik H* k = 

H i _jj c -^= we can show that the probability of an error e in the Hadamard transformed basis (i.e. Alice 

sends i but Bob receives i + e averaged over all i), is P e = (0 e |0 e )/D. In this case, = \i — j). Indeed, 
this is the case for the standard Sylvester type Hadamard matrices. 



9 



We can set k to any value we like, in particular k — 0. We have previously shown that 
(00 |0o ) = DPq, putting this together: 



(00 1 00 ) 



= (0o|0o)P> 



> Po 



We are now ready to prove the theorem. Since Tr 2 (yO-) = pi and Tr 2 (//) — p we may 
apply lemma IA.6I We will see that we may introduce an intermediate pure state to make 



the bounding of the information easier. The pure state we will use is 
corollary ^ 

I(A;E) < l 0g Dj2^\Pi-p\ 



I'M (0o I 

(<t>o\<t>o) 



Starting with 



< \ og Dj2^\Pi-p' 

i 



I0o)(0ol , |0o)(0o| 



(00 1 00 ) (0o|0> 



i U (00 100 ) 



|&) (0o1 



< 



(0o 1 00 

1 _ (0oj/V|0o) +2 



p'\) 



\ 



(00 1 00 ) 



21ogL> 



< 21ogL> 



\ 



1 - 



(00 I Pi' 1 00 ) 



1 (0oM0o) 

(00 1 00 ) 



\ 



1 - 



(00 1 00 ) 



= 41ogL> 



\ 



1 (0oWo) 

(00 1 00 ) 



< 41ogZVl -P 

Where 1 — P = P~ is the probability that there is an error in the MUB, which proves the 
theorem. I 

The previous theorem is what gives security to quantum key distribution schemes; however, 
we have only shown that QKD schemes are secure if the errors caused in any MUB are 
extremely small. Using quantum coding based approaches we believe it is possible to use 
the above theorem to get a simple unconditional security proof that applies in dimension D. 
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In the following section, we will apply these same techniques to show that Eve also cannot 
learn functions of messages. 

4 Security of Functions of Messages 

According to theorem^ if the fidelity Bob would have had in any MUB is exponentially close 
to unity, then Eve's information is exponentially low about which of the basis vectors in the 
chosen basis was sent. We will refer to the identifier of the basis vector sent by Alice as the 
key, and Alice can use the key to encrypt a classical message. For example, after sending a 
basis vector |fc) to Bob, Alice could publicly announce she sent basis vector \k®m), where © 
is the bitwise exclusive or (XOR) operation. Bob could then recover the encrypted message 
m. 

The above mentioned information vs. disturbance result does not address the question 
of what information Eve might get about a function of a message encrypted with that key. 
Suppose Eve only wants to know if the message has a particular value, i.e., she wants to 
learn the indicator function: f(m) = 1 if m = mi, else f(m) = 0. This function only 
has exponentially little information about the message itself. To see this, suppose each of d 
messages are equally likely, then 

H(M) = logd 

H(f(M)) = Jlogd-(l 

H(f(M)\M) = 

I(f(M);M) = H(f(M)) . 

If d is large, then H(f(M)) « \ logd, but, d = 2 HiM \ so H(f(M)) w 2~ H W>H(M). Hence, 
in this case, Eve only has to learn exponentially little information. Since QKD security 
proofs |3 131 El El only give exponentially strong security, it is not clear a priori that QKD 
will be sufficient to prevent Eve from learning any function of the message. 

The next theorem will show that Eve must cause errors to learn any function of the 
message, even if it has exponentially little information with the message itself! 

Throughout this section we work with some group operator + and all operations are in 
that group. In dimension 2™ the + operator will usually be bitwise exclusive or (XOR). 

Theorem 2 Alice sends the D dimensional state \k) to Bob, with k chosen uniformly at 
random, and after Bob has received the state Alice announces a = m + k (represented by the 
random variable A). Denote f(M) as the function f of the random variable M , and f(K) is 
the function f of the random variable K . The information Eve can get about any function of 
m, f(m), is bounded by the square root of the probability that Eve would have caused errors 
in any MUB: 

I{f(M);E\A) < H{f(K))A^P~ 
Proof. This proof will follow closely the proof of theoremnjand use the same tools. If a = m+k, 

§ It should be noted that this result is not true for the key itself. If Eve only wants to learn if the key was a 
particular value kg, she may do so without disturbing the state very much 
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then f(m) — f(a — k). The state consistent with a function value i is: 

1 \^ 

CTi = — 2-^ PkPk 
1 k:f(a—k)—i 

with qi = J2k-f(a-k)=iP k - Note that since Pk = j> then the probability of an announcement 
a = m + k is also \ ■ As such, % does not depend on m and is only related to the number of 
inputs to the function / which have a given output. The averaged state is: 

u a = Y.^ a 

i 

= 12 12 pkpk 

i k:f(a—k)—i 

Since each input has one and only one output and ph = j : 



k 

The definition of mutual information l3j means that: 

I(f(M);E\A) = £p B I(/(M);£|A = a) 

a 

Using lemma 

Y,PaI(f(M);E\A = a) 

a 

a i 

= - X qi lo s qi 12 Pa 1^° ~ p \ 



12 qiiogqi 12 pa \ (ii 



\<M{4>o\ , I0q)(0q1 ■ 



(0o|^o) (00 1 00 

^ 1 V - * I I a I0o)(0o|, . ,|0o)(0o| 

\ (00 |0O ) (00 1 00 ) 

1 (fey 



Pi 



\ 



x _ (0o|p|0o) 



» o | <po ; 



\ 



S a Pa (J » a |0O 
(00 1 00 ) 



(0O|P|0O> 



oo\<Po 



We can simplify the quantity J2 a Pa (J i a by remembering that p a — 1/d and % is independent 
of a: 



2^d ai = ^d 



1 Sfc:/(a-fc)=i d^ fe 
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~ Qi^d 2^ d Pa+m 
a m:f(m)—i 

" ql ^ d^d pa+m 

m:f(m)—i a 

In the last sum, we sum over all a with equal weight; hence, the m dependence disappears: 

V- 1 a 1 v-^ 1 v-* 1 

^d a * = Ti ^ d^d Pa+m 

a m:f(m)=i a 

= 7< E S» 

m: f(m)— t 

= p 



Putting this back into the information bound: 
Y J PaI(J(M)-E\A = a) 



N 



1 _ (^olEo^gi^o) 2 
(0o|0o> 



1 - 



(0oWo) 

(</>o |<M 



^ _ (0]H0o) x 

(00 1 00 ) 



1 - 



(0oH0o) 



(00 100 > 



= 4ff(Q) 

< H{f{K))^P~ 
Which proves the result. I 
5 Concluding Remarks 

By developing bounds on entropy, we are able to bound the amount of information that 
measurements can get from a quantum source. Modeling eavesdropping in quantum key 
distribution as a quantum source, we are able to bound information that an eavesdropper can 
get. Since this bound is a function of the errors that would be caused in any MUB, Alice 
and Bob can use their measurements to estimate this figure. Therefore, Alice and Bob can 
bound information that Eve has about the information they share. In addition to showing 
security of such information, we show that any function of messages encrypted with this 
secret information is secure. This is a very strong statement about the robustness of quantum 
security. 
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Appendix A 



6 Bound on Mutual Information for 1-bit Sources 

Suppose there is a classical source S which sends one of two signals; zero or one. Also suppose 

that Ps—i < p s =o- Following 0, we first come up with a linear bound on H(p): 

Lemma A.l For any concave function H(p) with H(0) = H(l) = and any p' < 1/2, 

H(p)>H{p')-^l\p-p'\ 

Proof. Consider two regions, p < p' and p > p'. H(p) is concave, which means that H(ax + 
(1 — a)y) > aH{x) + (1 — a)H(y). Applying this with x = p', a = p/p' and y — 0, we obtain: 
H(p) > H ~? p, which is exactly what we need for p < p' . In the region p > p' we want 
to show that H(p) > H{p') — ^y-H{p'). Again using the concavity, set y = p',x = 1 and 

_ £-p^ then that 

i-p' 

,p — p' + p' — pp' 



H{p) = H{i 



l-p' 



,v — p' 1 — p 

> p -^h(i ) + 1-JLh(p>) 
l — p l — p' 



l - p> 

= n<jt)-^H<3/) 

Since p' < 1/2, this implies that tzt < 2 < ^- and j^-j > We know that p > p' in this 
region, so p — p' is positive, thus: 

H(p) > H{p>)- P —^H{p>) 
1 — p 1 

> H(p')- P —jP-H{p') 
P 

I 

Lemma A. 2 The mutual information between the random variable E and the random bit S 
(with p(s = 0) > p(s = 1)) is bounded: 

I(E; S) < H(S)p(s = 0)J2 |p(e|a = 1) - p{e\s - 0)| 

e 

Proof. Using lemma |A~T1 as a bound on H(S\E) with p' — p(s — 1), we can obtain the bound 
on mutual information: 

I(E;S) = H{S)-H(S\E) 

= H(S)-Y / PeH(S\E = e) 
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< H(S) J2Pe( H W s = !)) - -T^rM 3 = ^ " P( s = !)D 
= iJ(S)^|p(e| S = l)-p(e)| 

e 

= H(S) 2 |p(e|a = 1) - (p(* = 0)p(e|* - 0) +p(s = l)p(e|s = 1))| 

e 

= H(S) P (s = 0) 53 |p(e|a = 1) - p(e|a = 0)| 

e 

I 

Lemma A. 3 If a source S outputs quantum states po and pi with probabilities po and pi 
with po > pi, then mutual information between this source and the output of any measuring 
device E is bounded: I{E; S) < H(S)p(s = 0)Tr\po — p±\ 

Proof.The source sends two states, po and p±. Eve does some POVM[T§] on them. The 
probability that Eve gets outcome x for her measurement given an input s is: p(e\s) = 
Tr{E e p s ). This gives: 

I{E-S) < H(S)p(s = 0)J2\Tr{E e (p - Pl ))\ 

e 

Since p — pi is Hermitian, we can diagonalize it as W^i) Taking this and applying 
the facts that E e are positive semi-definite and ^2 e E e = I, we get: 



< H(S)p(s 


= 0)J2\Tr(E e (p - Pl ))\ 

e 


= H(S) P (s 


= 0)J2\Tr(E e (J2Mi>i)^i 

e i 


= H(S) P (s 


= 0)53153^(^1^1^)1 

e i 


< H(S) P (s 


e i 


= H(S) P (s 


= 0)53^,1(^153^1^) 

i e 


= H(S) P (s 


= o)53ia,i 

i 


= H(S)p(s 


= 0)Tr\ Po -p 1 \ 



I 

Corollary A.l If a source S outputs quantum states po and pi, then mutual information be- 
tween this source and the output of any measuring device E is bounded: I(E; S) < H(S)Tr\po— 

Pl\ 

Proof. Consider two cases, the first where po > pi and the second where pi > pq. If po > pi, 
then using lemma lA31 we have that I(E; S) < H(S)p(s = 0)Tr\p Q - pi\. Since p(s = 0) < 1, 
we get the result. If pi > po then relabel the pi as po and vice versa. Hence in the original 
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labeling, lemma 1X731 becomes 

I(E;S)<H(S)p( S = l)Tr\ Pl ~p \ 

, and since p(s = 0) < 1 we get the result. I 
7 Bounding the Trace Norm 

As we have seen in the previous section, the trace norm distance between quantum states is a 
powerful tool for bounding mutual information. Now we look at some bounds on trace norm 
distances. 

Lemma A. 4 The trace norm distance between two pure states is: 



MM- \4>)(<t>\\ = 2Vi-|(#/>>| 2 

Proof.Define (ip\<fi) = a. Defining a new orthonormal basis we can write: 

|eo) = W 

V 1 - \ a \ 

Inverting these equations we have: 

W = leo) 



|0) = a|e ) + v / l-|a| 2 |ei) 
Using this new basis, we find that: 

IMM-MMI = |(l-|a| 2 )|e )<e |-(l-|a| 2 )| ei )( ei | 



VT - RP(a*|e 1 )(e | + a|eo}( 



This is just a 2 x 2 matrix and we can compute the trace norm by taking the absolute value 
of the eigenvalues, which are: 



I 

Lemma A. 5 The trace norm distance between any state and any pure state is bounded: 



\ P - < Vi- ¥\p¥) 



Proof.Let p = Y,iPi\<t>i) {4>i\ and apply J2iP* x i < VJ2iPi x i 2 '- 

\p-wm = i£p.-i&>tei-MMi 

i 

< j2 P i\\ct>i)(4>i\- mm 

i 

= 5>v/iH(V#*>l 2 



^ ^E^-KV^)! 2 ) 
= 2^1 - WpW) 
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I 

Definition A.l Purification of p: any pure state \ip) in TLi ®"H2 such that Tr2(\ip)(ip\) = p 
Lemma A. 6 The trace norm distance is reduced by partial trace: 

\p'-o-'\ < \p-a\ 

Where p and a are density matrices over states in Ti\ ® Ti.2 and the partial trace is over one 
of the subsystems: p' = 7>2(p) and a' = Tr^a). 

Proof. See I 
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